This is an overview of VoIP fraud, different types of fraud and what telecommunication carriers are doing to combat this issue. Types of fraud include International / Premium Number Fraud, Impersonation / Social Engineering, Service Degradation / Denial of service. Presented by Mark Magnusson at KazooCon 2015.
2. @kazoocon
History of telecom fraud
Fraud has been around as long as the telephone
Phone “phreaking” has been around since the 50's
Early fraud techniques relied on exploiting signaling using
special tones
This was done by using custom electronics that people could
build themselves “boxes”, often reffed to by different colors
3. @kazoocon
History of telecom fraud
Red Box
Used to generate tones that would
correspond to coins being inserted in a pay
phone.
5. @kazoocon
History of telecom fraud
Blue Box
One of the more infamous 'boxes'
Sends a 2600hz tone to allow seizing of
control of long distance trunks
Used to make free long distance calls
6. @kazoocon
History of telecom fraud
These early methods were rendered obsolete by the move to out-of-band
signaling and digital equipment
By the late 1990's these methods were ineffective for the majority of phone
systems
Right around that time, VoIP started emerging
As the phone systems and technologies evolved, so did fraud against them
7. @kazoocon
Fraud in the modern era
VoIP is much more powerful than early phone systems, this provides a much
greater surface area for attacks and fraud
The impact of fraud is potentially much greater as a result
Larger and more coordinated criminal enterprises are now focused on exploiting
VoIP and phone systems
Computers can automate exploitation, increasing results and lowering the
barrier to entry for would be criminals
As a result the impact and prevalence of fraud has increased dramatically
8. @kazoocon
Impact
In 2013 the cost of toll fraud was estimated at 46 billion dollars
This was a 15% increase since 2011
Often affects small businesses the hardest
They are less prepared to combat fraud
The financial impact is much greater
Often left on the hook for charges
Source: Communications Fraud Control
10. @kazoocon
International / Premium Number Fraud
Can be used to make free calls
These days, foreign VoIP operators use this to try and route MILLIONS of
dollars of calls via unsuspecting systems
Calls don't need to be real as long as they cause billing to occur
Attacker benefits from the bogus / billed calls, often getting a cut of the
cost
Believe it or not...
VoIP fraud has become a very “organized crime”
No longer just a few individuals trying to call Grandma for free
11. @kazoocon
Impersonation / Social Engineering
Caller Id spoofing can be used to impersonate a 3
rd
party
Used to make a call to a target person appear to originate from a
legitimate source, which would assist the attacker with obtaining
confidential information
Can also be used to place calls to a target then quickly hang up in an attempt
to get the target to call back
When they call back, the caller id is instead a premium or international
number, and they are charged for it
Exploits mostly human weaknesses, as such it is very difficult to prevent
Caller Id spoofing can be used for some very nefarious things
12. @kazoocon
Service Degradation / Denial of service
Attacker attempts to overload the system with bogus requests
Registration attempts w/ no key
Since the key must be stored temporarily enough of these messages in
a short time period can lead to memory exhaustion
Overloading servers with unresolvable DNS in SIP messages
The server attempts to resolve a bogus DNS entry which takes time,
enough of these requests in a short enough timespan can cause the
server to stop responding to legitimate requests
Spamming legitimate INVITES
This can swamp the system with calls that appear legitimate, but then
just end up playing Rick Astley in a loop
14. @kazoocon
Enumeration / Scanning
Automated attacks that attempt to find externally vulnerable systems
One popular method is “friendly-scanner”
Freely available tool
Once they scan, they DoS or start more targeted attacks
Example kamailio log:
Oct 1 23:07:06 lb001 kamailio[919]: WARNING: <script>: 403961299714971072758039|end|dropping
message with user-agent friendly-scanner from 77.221.158.186:5063
Sometimes, the hacker doesn’t realize he’s hit a phone, not a server
Extension 100 ringing an actual phone (local SIP port) over and over and
users are wondering why
This is because the phone itself is on 5060 and externally accessible
15. @kazoocon
PBX dial through / forwarding
Placing a call to a business and then exploiting their PBX to route the call to
an external number
This can be done if the PBX is improperly configured (such as allowing callers
to perform transfers)
Also can be done by exploiting call forwarding to an external number
Calls will then be placed from the target business to a high cost premium or
international number
The business is then charged for the high cost of those calls
Once a vulnerable system is identified the attack can be automated, greatly
increasing its impact
16. @kazoocon
PBX registration exploitation
Attempting to register a device on the target PBX
Relies on exploiting weak or default credentials with the goal of having a
device capable of placing calls via the target PBX
Very easy to automate
Easy to detect IF someone is monitoring the frequency of registration
attempts on the system
17. @kazoocon
Server based attacks
Exploit security vulnerabilities in the server software
Can be used to attempt to root the server itself, or to place unauthorized calls
Example AST-2008-003, specially crafted FROM headers would allow
unauthorized calls to be placed
An even larger attack surface since the server security itself is also a target
Any other services running on the server provide potential attack vectors
One the server itself is compromised, the PBX system can then be exploited
easily
18. @kazoocon
Phone based attacks
People often do not realize that modern VoIP phones are themselves small
computers
Many run slimmed down linux systems and services
Often possible due to weak voicemail, user, or admin passwords
Can be used to set call forwarding to a premium external number, the
attacker then places many calls that are forwarded out
Automating password guessing for voicemail, or spoofing caller id to access
mail boxes
Can be used to eavesdrop on voicemail
There have been several high profile examples of this
Configuration can be exploited or downloaded if it is externally accessible
19. @kazoocon
Attacks on people
Not the kind with a baseball bat… attacks that deceive users into providing
information
These attacks are very difficult to prevent and mitigate (people are easily
fooled)
End user education is the most effective prevention method here, however
most people do not want to bother with it
Luckily (for you) the impact of these attacks is usually localized to the person in
question, and not the system itself
21. @kazoocon
Some General Tips
Avoid being the low hanging fruit
Most widely targeted attacks will not bother with you if the system is not easily
exploitable as there are plenty that are, so make yours not worth their time
Ensure that your configuration and permissions are as restrictive as possible while
allowing normal operation
22. @kazoocon
Network / Server Security
Correctly configure and use firewalls / SBCs
Limit the external exposure of your phones and systems
Filter out traffic from known bad addresses
Keep server patched and up to date
If the server is compromised, so is your phone system (and potentially lots
more)
Ensure that the minimum number of services are running and externally
accessible to reduce the attack vectors against the system
23. @kazoocon
Kazoo Tips
SECURE YOUR PHONES!
Secure BOTH the user and admin accounts
Upgrade to the latest firmwares
keep phones behind firewalls
New provisioner helps with many of these things
New provisioner forces a different user / admin password
New provisioner changes the local SIP port so it can’t be 5060
Force new firmware (that we know is secure)
24. @kazoocon
Use limits and restrict access
Use Kazoo’s limits. It’s worth taking the time to learn how they work and set
them properly.
Allow you to limit the impact of any fraud
Especially important because you may not be able to prevent sub-
accounts from making easily exploitable mistakes
High limit for your master reseller account
Low limit for the sub-accounts
Blocked classifiers / areas for high-rate and international numbers
IaaS installs can have custom classifiers that get even more specific
25. @kazoocon
Real time monitoring
2600hz has carriers who block suspicious repeat calling to high-rate areas
If we see over 100 calls to Saudia Arabia in a row, the number is automatically
blocked
We get a notice and the area is flagged with who did the calling so we can
investigate
Real time monitoring is essential in quickly detecting and mitigating any fraud
Know your system and the typical traffic / requests that are handled so that you
can more easily notice something out of the ordinary
Certain detection is easy to automate
Sharp increase in registration attempts
Sudden flood of INVITES
26. @kazoocon
User education
Make people aware of these types of attacks
This is the only effective method to prevent people themselves from being easily
exploited
The more people that you have looking out for suspicious and strange usage and
activity, the better your odds of detecting it